I did more digging into this: It is not really true what I wrote in my
first message, that "each AD domain has a domain Administrators group
(defined as a domain local group)".
Each Domain Controller has a local Administrators group, just like any
W2K computer. BUT all Domain Controllers in a domain share this group
--- it is replicated across all DC in a domain, so any changes to the
Administrators group on one DC are replicated to all DC in the same domain.
That doesn't make this group "domain local" though. Non-DC computers in
the domain don't see it, and they each have their own Administrators
group.
So there really aren't two Administrators groups. Each computer in the
domain has only one. If it is a non-DC computer, then it has its own
truly local Administrators group. If it is a DC, then it has the
Administrators group shared with all DC in the same domain.
I have looked through a number of sources on this, and hardly anybody
gets it right. Some descriptions are just plain wrong, and others don't
say enough to make it clear. Online documentation at the Microsoft site
says the Administrators group has domain local scope, and mentions "the
Administrators group in a domain" as though there was only one, which
really confuses the issue.
http://www.microsoft.com/windows2000/en/server/help/sag_ADgroups_9builtin_intro.htm?id=286